The advisory comes in response to a cyberattack targeting an unnamed natural gas compression facility that employed spear-phishing to deliver ransomware to the company's internal network, encrypting critical data and knocking servers out of operation for almost two days.
"A cyber threat actor used a spear-phishing link to obtain initial access to the organization's information technology network before pivoting to its operational technology network. The threat actor then deployed commodity ransomware to encrypt data for impact on both networks," CISA noted in its alert.
As ransomware attacks continue to escalate in frequency and scale, the new development is yet another indication that phishing attacks continue to be an effective means to bypass security barriers and that hackers don't always need to exploit security vulnerabilities to breach organizations.
CISA highlighted that the attack did not impact any programmable logic controllers (PLCs) and that the victim did not lose control of its operations. But in the aftermath of the incident, the company is reported to have initiated a deliberate operational shutdown, resulting in a loss of productivity and revenue.
Noting that the impact was limited to Windows-based systems and assets located in a single geographic locality, it said the company was able to recover from the attack by getting hold of replacement equipment and loading last-known-good configurations.
Although the notification is lean on the specifics of the attack, this is not the first time phishing links have been employed to deliver ransomware. Lake City's I.T. network was crippled last June after an employee inadvertently opened a suspicious email that downloaded the Emotet Trojan, which in turn downloaded TrickBot Trojan and Ryuk ransomware.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!Save My Seat!
The evolving threat landscape means companies need to consider the full scope of threats posed to their operations, including maintaining periodic data backups and devising fail-over mechanisms in the event of a shutdown.
Aside from securing the email channel and identifying and protecting the most attacked individuals, this also underscores the need for adopting appropriate anti-phishing measures to stop social engineering attempts from reaching their targets' inboxes and training people to spot mails that get through.
Additionally, it's imperative that vulnerable organizations safeguard the digital supply chain by segmenting critical network infrastructure using firewalls and conducting periodic security audits to identify gaps and weaknesses.
For a full list of mitigative measures that can be undertaken, head to the CISA advisory here.
Cybersecurity firm Dragos issued an assessment on Wednesday linking the attack on the facility to an alert put out by the US Coast Guard in December. The Ryuk ransomware infection had forced the facility to shut down for 30 hours, disrupting camera and physical access control systems, along with shutting down the entire corporate IT network at the facility.
The analysis cited overlaps in the outage period between the two reports, the impact on Windows-based systems, and the primary attack vector being an email message containing a malicious link.